Essay:

Essay details:

  • Subject area(s): Engineering
  • Price: Free download
  • Published on: 7th September 2019
  • File format: Text
  • Number of pages: 2

Text preview of this essay:

This page is a preview - download the full version of this essay above.

Telnet / Port 23

Identify and describe the attack type, as well as the port and service it attempts to exploit. Describe the attack and how it attempts to compromise the remote system, and explain what types of data the port is normally used to transmit.

Telnet is a Transmission Control Protocol (TCP)-based application layer protocol that uses port 23. TCP works with Internet Protocol (IP) to transmit data, and they are often referred as one, TCP/IP. TCP establishes a connection between devices to allow communication, and IP transmits data by breaking it into chunks, or packets, that are routed along a path determined to be the most efficient for that packet, and the packets are reconstructed at the destination. Port 23 uses TCP to guarantee data delivery, and TCP guarantees that data will be delivered to port 23 in the same order as which they were sent. Telnet uses a server-client topology by imitating a terminal connection between devices: the device that listens for commands and replies to them is the Telnet server, and the terminal emulator is the Telnet client. Telnet is used to communicate remotely with a device and is especially useful in configuring a device without requiring an administrator to physically connect a cable to the device to configure it. However, Telnet sends data as clear text, and this lack of encryption is a security concern. Telnet attacks are can be described as communication sniffing, brute force attacks, and Denial of Service (DoS). Because data is transmitted without encryption, configuration commands may be read, including passwords, and an intruder may use this information to take over the device(s). Sniffing provides a way to intercept data and read passwords along with other information such as email or files. Attackers may open a Telnet connection in order to begin a brute force attack, a systematic checking of all keys or passwords until the correct one is found, to access other areas of the network. DoS attacks attempt to stop communication by using the entire bandwidth available to a networked device so that legitimate communication cannot reach its destination. These descriptions - communication sniffing, brute force, and DoS - are not meant to imply that these techniques are only discrete events. For example, DoS can use brute force techniques to disrupt communication. By overwhelming the system with requests, it cannot keep up with demand and communication slows or stops.

Explain how that specific attack can be used to do damage or compromise a remote system, and how the result of a successful attack might manifest. Be aware this can be multi-faceted; it could include system downtime, loss of reputation, damaged/stolen files, etc.

Telnet attacks can be used to access unencrypted data, and they can be used to bombard a network with information to such a degree that functionality slows or collapses entirely. In 2008, the hacker group Anonymous targeted the website Scientology.org in a Distributed Denial of Service (DDoS) attack that managed to make the site inaccessible. In a DDoS attack many, unique IP addresses attack a source to make it unavailable to its intended users. In addition to targeting the organization’s official website, Anonymous leaked documents from Scientology computers

Investigate what countermeasures are effective against an attack of that type; what can be done to prevent it, detect it, or mitigate/stop it once it has started?

Use of encryption of all data can mitigate Telnet attacks because, even if an intruder is able to access a network, they may be unable to interpret the data being communicated. Telnet is a known security concern, so most system administrators have moved to Secure Shell (SSH). SSH was designed as a replacement to Telnet and functions similarly with a client-server hierarchical topology, but it encrypts the data before sending and uses port 22 instead of 23. SSH, which was first developed in 1995, allows a secure channel of communication over an insecure network. Open-source versions of SSH have been developed since its inception, and OpenSSH is the most popular open-source implementation since 2005. Despite this advance in security, some administrators fail to make the change, and in 2011 Akamai Technologies, a content service provider and cloud service provider that specializes in managing content and Web traffic, noted in their 2010 third quarter report an increase of Telnet attacks against corporate servers via mobile networks. The report described the attacks as orginating from infected PCs that connected to wireless networks through mobile broadband technology and not via infected mobile devices. In addition to the use of SSH, it is recommended that IPv6 be used instead of IPv4 and that Secure Sockets Layer (SSL) be used for email instead of POP or IMAP. IPv4 was developed in the 1980s and was not designed to anticipate current technological needs or hacking techniques. IPv6 was designed to meet current performance needs, and it runs end-to-end encryption, which is important in keeping data secure.  SSL employs encryption to secure data sent over the Internet. It is the industry standard for establishing an encrypted link between a web browser and server,

SMTP / Port 25

Identify and describe the attack type, as well as the port and service it attempts to exploit. Describe the attack and how it attempts to compromise the remote system, and explain what types of data the port is normally used to transmit.

SMTP stands for Simple Mail Transfer Protocol. This attack type tries to exploit e-mail services on a server. Because there is very little security built into this protocol, it is fairly easy to hack -  attackers simply have to telnet Port 25. From there, they use the VRFY command to check a list of possible e-mail addresses for existing user IDs, or the EXPN command to check for any existing mailing lists on the server. Once the valid addresses are acquired, those addresses can then be used to send spam e-mails from the attacker which can contain malware or be used to harvest important information.

Explain how that specific attack can be used to do damage or compromise a remote system, and how the result of a successful attack might manifest. Be aware this can be multi-faceted; it could include system downtime, loss of reputation, damaged/stolen files, etc.

While the main purpose of an SMTP attack is to harvest email addresses through Port 25, it can also be used to gather header disclosures that may contain important company information. This gathered information can consist of IP addresses, client and email server software, and network hostnames, which could allow the attacker to exploit software vulnerabilities or expose network naming conventions. Another form of SMTP attacks is to use the exploited server as an open-relay, sending spam or malware through your server and making it appear as if you were the one who sent it.

Investigate what countermeasures are effective against an attack of that type; what can be done to prevent it, detect it, or mitigate/stop it once it has started?

One countermeasure against SMTP attacks is to disable the VRFY and EXPN commands. This may not be a solution, however, if you need your remote systems to be able to access the user and mailing lists from the server. If so, another solution may be to use the server or a firewall to limit those server commands to specific hosts on your network. Another safeguard is to ensure that company e-mails are not posted on the web. You can also prevent header disclosures by configuring your server to rewrite email headers so that they don’t contain any valuable information. Another way to prevent attacks is to make sure you have a working antivirus software. You should also make sure that your email server has SMTP relay disabled, and you may also be able to add a layer of password authentication to your server.

NTP / Port 123

Identify and describe the attack type, as well as the port and service it attempts to exploit. Describe the attack and how it attempts to compromise the remote system, and explain what types of data the port is normally used to transmit.

NTP refers to Network Time Protocol and is one of the oldest protocols currently in use. NTP is responsible for clock synchronization between systems and is intended to synchronize computers to within a few milliseconds of Coordinated Universal Time (UTC). It is important to coordinate clocks amongst computers to ensure coordination for packet distribution and to mitigate latency between networks. NTP uses User Datagram Protocol (UDP) to send and receive timestamps on Port 123. NTP is usually set up, then left alone, so this protocol is not upgraded or maintained frequently. This leaves it very vulnerable to attacks. In this case, an attacker sends a small forged packet to the targeted IP address containing a very large amount of data. The MONLIST feature of the NTP sends the requester, in this case the attacker, a list of the last 600 hosts that have connected to the server (MONLIST obtains and prints an NTP server’s monitor data). This is a very easy way for the attacker to learn who is connecting to that server so that they can then attempt to attack the hosts from the provided list and, perhaps, attempt to steal more data.

Explain how that specific attack can be used to do damage or compromise a remote system, and how the result of a successful attack might manifest. Be aware this can be multi-faceted; it could include system downtime, loss of reputation, damaged/stolen files, etc.

An NTP reflection attack spoofs a legitimate IP source for a network and requests a response which is usually complied. Because NTP is an old protocol, its security features are not in keeping with current demands. Once it receives a request from what is believed to be a genuine address, UDP complies with the request. This type of attack can be amplified by requesting a large amount of information. A small request can spawn a large response - a small amount of bandwith from a few users can quickly create an enormous amount of traffic, and in this manner a DDoS attack may occur. In 2014, CloudFlare, a global content delivery network, was the victim of NTP DDoS attack. The attack caused congestion at critical nodes in their European exchange and slowed communication.   

Investigate what countermeasures are effective against an attack of that type; what can be done to prevent it, detect it, or mitigate/stop it once it has started?

NTP programs can be secured. Team Cymru, a non-profit specializing in Internet security, provides a template to configure NTP for increased security. NTPD servers should be upgraded version ntpd v4.2.7p26, which was released in 2010. If MONLIST is a feature that is required, there is a command, MRULIST, that requires proof that a request come from the IP address found in the UDP packet. Lastly, network administrators should implement a packet filtering technique to prevent address spoofing, namely network ingress filtering. Network ingress filtering is a “good neighbor” policy that relies on Internet Service Providers (ISPs) to collaborate for their mutual benefit. The Internet Engineering Task Force details in BCP 38 the best current practice. BCP 38 filters forged packets by checking incoming packets from end users and allowing only those packets from IP addresses assigned to them to pass.TCP

The Transmission Control Protocol is a reliable way to error-check delivery between applications communicating over a network. Vint Cerf and Bob Kahn published A Protocol for Packet Network Intercommunication in 1974 via the Institute of Electrical and Electronic Engineers (IEEE). The paper described a protocol for sharing resources by using packet-switching. Packet-switching breaks a message into multiple parts that are sent independently in an optimal path (for each packet). The parts are reassembled at the destination so that many applications may use the same network in an efficient and robust manner. The paper originally described this model as Transmission Control Program, which was later divided into Transmission Control Protocol and Internet Protocol (IP).

HTTP

HTTP stands for Hypertext Transfer Protocol. This protocol is used by the World Wide Web for sending information such as hypertext, data, and images between clients and servers. It is a standardized method of communication between computers. HTTP works by sending a request from the client (a browser) to the server that the user is trying to reach. The client then disconnects and waits for the server to respond. The server then responds with a status line and the content requested, if the request was a success. HTTP was developed by a team at CERN led by Tim Berners-Lee when he proposed the World Wide Web project in 1989.

QUIC

Quick stands for Quick UDP internet connection originally designed by Jim Roskind at Google and implemented in the year 2012. This network protocol was developed to reduce the number of round trips that data makes as it travels across the internet to load information onto a browser. Google created this protocol because they wanted to improve upon SPDY internet protocol which runs over TCP. While SPDY was efficient in multiplexing requests over a single TCP connection there were issues regarding load time when a single TCP package was lost. Additionally SPDY was slow to connect because it required multiple roundtrip connections using TCP and TLS protocols. With this in mind Google implemented QUIC to have similar benefits to TCP and TLS requests such as security while avoiding issues regarding congestion or lost packages. QUIC employs bandwith estimation in each direction of requests in order to provide congestion avoidance and pace packet transmission to reduce packet loss.

Google is using UDP connection since they could not significantly modify TCP. TCP is handled in the kernels of the operating system and it is likely that most individuals would not upgrade their operating system for several years which makes the protocols more difficult to maintain which is why they utilized UDP connection which commonly works for gamers and voice over internet protocols.  As a result, QUIC provides improved benefits on the user end regarding loading information onto a browser without the need to improve the existing operating system the user is running under.

We selected the component labeled Internet Protocol Version 4. Otherwise known as IPv4, IPv4 is the fourth version of the Internet Protocol and the IP is the communications protocol that essentially launches the internet. The IPv4 is a connectionless protocol using packet-switched networks, such as Ethernet. The IPv4 also works on the best effort delivery model, which means that it does not guarantee delivery and does not avoid duplicate delivery as these issues are handled by the TCP (Transmission Control Protocol). There are 5 classes used for Ethernet communication: A, B, C, D, and E. Each class has a different bit length when accessing the network host. Class A, B, and C contains a subnet mask which is used to distinguish the newport component of the IP address. It divides the IP address into a network and host address using a “dotted-decimal” notation. Class D and E are used in special circumstances, as Class D addresses are solely used for multicasting and Class E addresses are used for future use. A mulitcast address contains a single IP data packet set that corresponds a network host group. So in our case, it falls under class B with a /16 subnet mask as the network 192.168.1.4 has the range of 1 and 4 (last two numbers). This network host may use the address that range 0 to 255. For IPv4, the maximum number of host addresses for end users is 232.

SRC

SRC refers to the source IP address of your computer, and it allows the destination node (DST) to know where to send its responses to. IP addresses are a bidirectional process, with one sender and one receiver. It is called IPv4 because there are 4 tuples in play here: source IP address, source port, destination IP address, and destination port. The source IP address is where incoming packets are streamed to, and without the source IP they would not have a direction to go in. Therefore, the source IP is not only important for starting the process, but it is also critical in finishing it up and receiving packets from the IP address it visited.

...(download the rest of the essay above)

About this essay:

This essay was submitted to us by a student in order to help you with your studies.

If you use part of this page in your own work, you need to provide a citation, as follows:

Essay Sauce, . Available from:< https://www.essaysauce.com/essays/engineering/2016-4-22-1461287620.php > [Accessed 14.10.19].